Adding ~/.local/bin to default PATH

Till Maas opensource at till.name
Thu Jul 28 16:06:20 UTC 2011


On Wed, Jul 27, 2011 at 02:00:28PM -0700, Jesse Keating wrote:
> On 7/27/11 1:09 PM, Reindl Harald wrote:
> > Depends on the PATH-Order
> >
> > if something is intended to be first in PATH and any attacker is able
> > to write there his "ls" would win against "/bin/ls"
> 
> So, the attacker can write a compromised ls into .local/bin/, but isn't 
> able to modify your .bash_profile ?  Seems like a stretch.

Such vulnerabilities/exploits existed in the past, e.g. I remember one
that allowed to create new world readable files at an arbitrary
location. It was not possible to change existing files with that
exploit.

Regards
Till


More information about the devel mailing list